My question will appear to present a dumbass-ness that I do not actually possess. In other words, I don’t know what I’m doing here or even how to ask about it, but I’m not completely clueless: I’m just new to this tool and the best way to analyze its output.
I’m working on a potential hacking case. I’ve already exploited 4 of their computers (drives), imaged them and used FTK and Paraben’s P2C on them. What I’m trying to do now is see if there is any current activity happening on their network (either outbound or inbound).
I’ve got a script running that is capturing (via dumpcap, netstat, handles.exe and listdlls.exe) most of their network traffic and the running processes, et al.
I’ve got a few weeks of this data, which means mucho packets obviously. What I was hoping to find was a way to evaluate the frequency/periodicity of any particular IP address’ appearance in the dumpcap/Wireshark captures. I need a starting place.
I’ve got scripts running on the data to do more Address Name Resolutions and I will use that to knock out obviously benign addresses. But on the ones I don’t know or question, I need to figure some way of seeing when and how often any particular IP address is appearing in the captures.
And it wouldn’t be just one. It would be any that I couldn’t eliminate as benign.
I know there’s an I/O graph on Wireshark for ALL traffic…it would be great to see something like that for SPECIFIC IP addresses.
Maybe there’s a piece that is native in Wireshark itself that I haven’t found, yet. Maybe there’s an app or some other way to see this.
Any ideas? I’d sure appreciate the help.